cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Contributor II

Handling Corporate Wi-Fi PSK

I'm polling the group.  For those of you who still use PSKs (and not RADIUS or 802.1X, for example) for Wi-Fi connections, I am curious about your discipline for handling the PSKs. Are there ever times or moments where you provide PSKs to the users, or do you insist on inputting them into the device's wireless profile, so that users have no need to handle them?

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
5 Replies
Highlighted
Community Champion

Re: Handling Corporate Wi-Fi PSK

Eric @ericgeater 

My previous company maintained two wifi connections, one for employees to log into the corporate network using 2-factor (RSA) authentication, and the other a guest network that connected only to the Internet, with no internal corporate access. The guest network password was changed weekly, and give freely to visitors. 

 

Given that even the most basic home wifi routers now have a Guest mode in addition to full internal network, why would any corporation have only their internal wifi available?

 

 

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Contributor II

Re: Handling Corporate Wi-Fi PSK

Thanks for your reply.  You've correctly assumed that a guest network should be (or is already) in place.  I'm solely asking how an IT staff handles an in situ corporate Wi-Fi system if a corporately-issued device requires reconnection after issue.

If we used your example, by the way, the computer could associate to the guest Wi-Fi access, then could be remotely administered by the IT team and the corporate WPA2 profile be repaired for permanent use.

 

Or I could ask my question differently: do any readers ever have a compulsion or need to hand out the PSK for a corporate network -- at all?

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Highlighted
Community Champion

Re: Handling Corporate Wi-Fi PSK

Eric @ericgeater after reading your reply I re-read the original post. This time I realized what you meant with "or do you insist on inputting them into the device's wireless profile, so that users have no need to handle them?"

 

That procedure seems inappropriate because someone with access to the device might be able to get into both it and the network by cracking only the device access process. Solid authentication into the device and separate authentication into teh network seems like a better plan

 

Craig

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Community Champion

Re: Handling Corporate Wi-Fi PSK

We have a third wifi network for devices that can not handle WPA2, such as warehouse scan guns.  For this, we hand out a pre-shared key and also white-list the device MAC address.  

 

 

Highlighted
Contributor II

Re: Handling Corporate Wi-Fi PSK

Maybe I'm misunderstanding you.

 

Before a technician provides a computer to an employee, they typically configure Wi-Fi on the employee's behalf for the corporate network.  They input the SSID, insert the corporate pre-shared key, then save this into the employee's profile.  That way the employee should always connect to the corporate network when in the office.

 

If, for some reason, a computer "forgets" the corporate PSK, we typically do not hand it out for the employee to put back in on their own.  We'll give them the guest account SSID and PSK, then remotely control their computer and replace the corporate SSID and PSK.  We never communicate the actual PSK to the users.

 

I would prefer to never tell the users the pre-shared key, because they have no reason to possess it.  We never hand out the administrator password, so I'm curious if there are any cases when it's okay to provide an employee the PSK.

 

I know this is a targeted question, and I thank you for putting up with it.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."